[rule] description = """ Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. """ id = "3c44fc50-2672-48b3-af77-ff43b895ac70" license = "Elastic License v2" name = "Credential Access via Known Utilities" os_list = ["windows"] reference = [ "https://lolbas-project.github.io/", "https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth", ] version = "1.0.46" query = ''' process where event.action == "start" and process.parent.name != null and ( (process.pe.original_file_name == "procdump" and process.args : "-ma" and process.command_line : "*lsass*") or (process.name : "ProcessDump.exe" and not process.parent.executable : "?:\\Program Files*\\Cisco Systems\\*.exe") or (process.pe.original_file_name == "WriteMiniDump.exe" and not process.parent.executable : "?:\\Program Files*\\Steam\\*.exe") or /* Issue #623 - added coverage for evasion via renamed comsvcs DLL */ (process.pe.original_file_name == "RUNDLL32.EXE" and process.command_line : ("*comsvcs*24*", "*MiniDump*", "*#*24* full*")) or (process.pe.original_file_name == "RdrLeakDiag.exe" and process.args : "/fullmemdmp") or (process.pe.original_file_name == "SqlDumper.exe" and process.args : "0x01100*") or (process.pe.original_file_name == "TTTracer.exe" and process.args : "-dumpFull" and process.args : "-attach") or (process.pe.original_file_name == "ntdsutil.exe" and process.command_line : "*create*") or (process.pe.original_file_name == "diskshadow.exe" and process.args : "/s") or ((process.pe.original_file_name : "wbadmin.exe" or process.name : "wbadmin.exe") and process.args : "recovery" and process.command_line : "*ntds.dit*") or (process.pe.original_file_name == "esentutl.exe" and process.args : "/vss" and process.command_line : ("*ntds.dit*", "*\\SAM*", "*//SAM*")) or (process.pe.original_file_name == "esentutl.exe" and process.args : "/y" and process.command_line : ("*\\Cookies*", "*\\Login Data*")) or (process.pe.original_file_name == "reg.exe" and process.args : ("save", "export") and process.command_line : ("*HKLM*\\SAM *", "*hkey_local_machine*\\SAM *", "*HKLM\\security*", "*hkey_local_machine\\security*", "*HKLM\\system *", "*hkey_local_machine\\system *")) or /* generic original filename and variable number of hashes */ (process.name : "createdump.exe" and process.args : "-u") or (process.pe.original_file_name == "FX_VER_INTERNALNAME_STR" and process.args : "-u" and process.args : "-f" and process.args_count >= 3) or /* Avast Home Security signed binary */ (process.pe.original_file_name == "avDump.exe" and process.args : "–dump_file") or (process.pe.original_file_name == "DumpMinitool.exe" and process.args : "--dumpType") ) and not /* Issue #528 */ (process.pe.original_file_name == "reg.exe" and process.parent.executable : ("?:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\*\\ir_agent.exe", "?:\\Program Files (x86)\\Rapid7\\Insight Agent\\components\\insight_agent\\*\\ir_agent.exe")) and not (process.pe.original_file_name == "diskshadow.exe" and process.parent.name : "powershell.exe" and process.parent.args : "?:\\OmniStackBackups\\backup*") and not (process.name : "rundll32.exe" and process.command_line : "*davclnt.dll,DavSetCookie*http*MiniDump*" and process.parent.executable : "?:\\WINDOWS\\system32\\svchost.exe" and process.parent.args : "WebClient") and not (process.pe.original_file_name == "reg.exe" and process.args : "?:\\ProgramData\\Bitdefender\\ForensicArtefacts\\System\\Config\\*" and process.parent.name : "cmd.exe") and not (process.executable : "C:\\Program Files (x86)\\Dental Intel\\PMSSyncService\\procdump.exe" and process.args : "office.exe") and not (process.name : "diskshadow.exe" and process.parent.executable : "?:\\Windows\\Temp\\RackWare-winutil\\bin\\bash.exe" and process.args : "?:\\windows\\Temp\\RackWare-winutil\\*") and not (process.name : "reg.exe" and process.parent.executable : "C:\\Program Files\\SF\\EDR\\agent\\bin\\sfavtray.exe") and not (process.name : "diskshadow.exe" and process.command_line : "*\\Program Files\\ARCServe\\*") and not (process.name : "reg.exe" and process.args : "save" and process.args : "?:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\common\\ir_agent_tmp\\*" and process.working_directory : "?:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\common\\") and not (process.name : "diskshadow.exe" and process.parent.executable : "C:\\Program Files\\Barracuda\\Barracuda Backup Agent\\win\\x86_64\\BackupService.exe") ''' min_endpoint_version = "7.15.0" [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[optional_actions]] action = "rollback" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" [[threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" [[threat.technique.subtechnique]] id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" [threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [internal] min_endpoint_version = "7.15.0"